Has continuous security arrived with the rise of rapid development?

It's often the case that doing something faster adds flaws to what you do. That doesn't seem to be true, though, when it comes to rapid application development.

According to the SANS Institute's latest annual "State of Application Security" report (PDF), organizations that make changes to their code more quickly are also fixing more security vulnerabilities than their slower-moving competitors.

They're doing so by breaking down organizational silos and moving more responsibility for security testing directly to developers or to cross-functional teams, the report says. These companies are also taking advantage of end-to-end workflow automation, which integrates security into agile and DevOps toolchains so they can test security faster and more often.

"Mistakes are still made. The idea is that with rapid application development, when you make a mistake, you have the ability to recover from that mistake very quickly," said Eric Johnson, the application security curriculum product manager at SANS.

"In the old world, you could have an outage that lasted for hours. In the DevOps world, you could recover in two minutes by pushing out a patch."
Eric Johnson

Here are they key strategies these organizations use to build continuous security into their app dev lifecycles.

Gartner Magic Quadrant for Application Security Testing 2018

Chunk up your code

To develop applications quickly, you must write code in chunks. That can also contribute to producing more secure apps. "It's much easier and quicker to do a security assessment on small chunks of code," said Ryan O'Leary, chief research officer at WhiteHat Security, an application security platform maker and a sponsor of the report.

When you're writing smaller units of code, you're testing more often. That contrasts with traditional development methods that dumped an entire application on the quality assurance team near the end of the development cycle.

"With rapid development, you don't have that luxury. You want to get things off in a week, so you can't wait until the end to fix things that needed fixing in the beginning."
Ryan O'Leary

Make more frequent changes

SANS' Johnson, an advisor for the report, recalled his experience pushing out apps on a quarterly basis. "When you think of all the modifications and changes that could be made in that timeframe, if something slips through you've got a lot of different areas in which to look to find a mistake," he explained. 

"By doing these small, incremental changes, when something does go wrong the scope for it is very small, so the blast radius for the deployment is very minimal. You might be looking at two files instead of 40 different modules," he said.

According to the report, based on a survey of 214 IT professionals, 43% of organizations push out changes on a weekly, daily, or continuous basis. Two-thirds of organizations reported that only 10% of the vulnerabilities discovered each month are critical and in need of immediate remediation. Of the critical vulnerabilities found, almost half (41%) are fixed in a week, and a little over a third (34%) are fixed within a month.

"I've been in situations where I couldn't push out fixes to certain products because they only did quarterly releases, and the severity of the vulnerability wasn't high enough to push it out, so they waited until the next quarterly release to do it," said Aaron Weaver, a leader of the Philadelphia chapter of OWASP and the OWASP AppSec Pipeline.

"If you're doing rapid development, you can fix that vulnerability the next day. That's the power of rapid development, if you're doing it properly."
Aaron Weaver

More app sec testing is better

Chunking has also led to components being more loosely coupled within applications, said Amy DeMartine, a principal analyst at Forrester Research. 

"They're less spaghetti-like and dependent on each other, and with well-defined inputs and outputs. That means developers can work on a small piece of code and any changes really only affect their small piece of code without any ramifications on the rest. That increases quality."
Amy DeMartine

When teams have a year or more of release goals, many things are changing that are all interdependent, it's hard to know what to test and to make sure you have complete testing, she added.

However, while application security assessment was moving faster, some organizations were falling behind on their testing, the report states. One quarter of respondents test security once a year or less—not fast enough in a rapid development environment.

Worse yet, one in 10 organizations aren't testing or assessing their business-critical applications at all. "Most organizations are still relying heavily on audits and external reviews, pen testing, and other manually intensive processes to find security vulnerabilities," the SANS report said.

Use test automation to stay out front

Still, the survey showed that organizations developing applications rapidly were testing more frequently than their slower brethren. For example, 33% of rapid developers were testing their applications on a continuous, daily, or weekly basis, or more than once a month, but only 22% of slower developers were doing the same.

What's more, the report noted a significant rise in the number of organizations using developers to do security testing. Over the past three years, the percentage of organizations that rely on development teams to do security testing has increased from 22% in 2015 to 51% in 2017.

A key contributor to that increase is automation, and another is integrating security into integrated development environments (IDEs), said Meera Subbarao, a senior principal consultant with Synopsys, an electronic design automation company and a sponsor of the survey.

Manual processes such as code review have been automated, she said. "There are a lot of static analysis tools that run in your IDE, so developers can find mistakes as they're developing the code," she explained.

Automation is critical for doing DevOps in a secure fashion, said Anthony Bettini, senior director of engineering and research at Tenable, a threat measurement, management, and monitoring company, and a sponsor of the report.

"When you're changing a production application on an everyday basis, security testing needs to be done at that same speed. So in the same way that software defects get tested in an automated way to make sure the build is ready for production, security testing needs to be automated as well."
Anthony Bettini

No direct cause and effect?

Just because an organization is engaged in rapid application development doesn't mean it's inherently turning out more secure apps, said Pete Chestna, director of developer engagement at CA Veracode, an application security company and one of the sponsors of the report.

"There is no cause and effect between rapid app development and security. There is no data in the survey to support it."
Pete Chestna

He explained that developers fix flaws in their applications either because they feel accountable for security outcomes or because there is a security check on the way to production.

"Teams that release rapidly can do so with or without security checks. That stands out [clearly] in the data in the survey."
—Chestna

If they have a mandate to fix security vulnerabilities, high-performing teams will naturally shift their testing to the left over time, because they understand that they need to fail fast and find flaws that need to be fixed as early in the lifecycle as possible, Chestna added.

Rapid application development is not for everyone, explained Willy Leichter, vice president of marketing at Virsec, a web application security company.

"Rapid development can work for Facebook and Amazon AWS, but we deal with a lot of healthcare and critical-infrastructure organizations."
Willy Leichter

Healthcare and infrastructure organizations are more cautious about real-time development and rapid releases because they feel they have to do much more rigorous testing and certification, Leichter explained.

Validation for believers

For believers that rapid application development can make apps more secure, the SANS report can be a validation of their beliefs, said Dan Kuykendall, senior director for application security products at Rapid7, a provider of security and analytics solutions and a sponsor of the report.

"Conceptually, we all thought it would make things better. It's interesting to see that now there are some stats to back that up."
Dan Kuykendall

Share your team's best practices for delivering continuous security below.

Gartner Magic Quadrant for Application Security Testing 2018
Topics: Security